Mocana Launches Supply Chain Integrity Platform to Secure IoT, ICS Devices
13.4.2018 securityweek ICS
Mocana TrustCenter Manages Security Across IoT and ICS Device Lifecycles
Securing the supply chain, and securing industrial IoT devices and industrial control systems (ICS) are two of security's biggest challenges today -- but securing the supply chain of industrial IoT is particularly challenging.
Manufacturers are beginning to add security capabilities to the devices. Mocana's security software sits on around 100 million devices, and the company's customers include manufacturers such as Siemens, GE, Bosch and Panasonic. "Companies have begun to add security to IoT at the network level, and many have Mocana security onboard," Mocana's VP of marketing, Keao Caindec, told SecurityWeek; "but what is still missing is really a focus on protecting the supply chain."
Mocana Logo
A primary problem is a lack of essential security on the devices. Manufacturers still cut corners to keep costs down and speed of delivery up; while users tend to spend their security budget on threat detection and firewalls surrounding the devices rather than ensuring that the device has its own security. Mocana's device security can add security capabilities to the device. Now, with the launch of a new TrustCenter platform, it can also ensure that firmware updates and patches are genuine and not compromised by man-in-the-middle attacks.
Protecting the supply chain now completes the Mocana process of applying security to the complete IoT device security lifecycle.
Supply chain attacks are already happening. In one example, reported by Brian Krebs, the U.S. Secret Service issued an alert to banks in March 2018. Criminals are intercepting mail containing corporate debit payment cards. They swap the existing chip for an old or invalid chip and allow it to be delivered to the customer. The customer receives the apparently new card and activates it. Once this happens, the criminals can use the stolen chip for their own purposes.
The Secret Service warning does not indicate how the criminals intercept the card. However, an investigation by the BBC in 2017 describes postal workers in the UK being offered £1000 per week to intercept and steal mail, including bank cards. "In 2016," says the BBC, "there were 11,377 cases of fraud where a card is stolen in transit, costing card issuers £12.5m."
For embedded and installed devices, criminals are more likely to attack and compromise the software update process. "Securing devices during firmware updates is a big issue," said Caindec. "Automobile manufacturers have a big problem in front of them in scaling to support up to 100 ECUs (engine control units) in cars, controlling everything from infotainment to autonomous driving and obstacle avoidance -- and they need to update those in an almost constant stream of updates. How do you ensure that all of those updates are trusted and not being implemented on devices that are already compromised?"
Part of the larger issue of ensuring the integrity of the supply chain, he added, "is the sheer complexity, because it includes the component manufacturers, the software developer, and the operators and end users of the devices that need to be updated."
To ease this problem, his firm has announced the new Mocana TrustCenter. Its three primary purposes are to provide supply chain integrity, allow faster development and provisioning of devices containing TrustPoint security, and to reduce costs by automating secure enrollment and provisioning at a scale suitable for the billions of IoT devices being manufactured.
"It is a services platform that allows manufacturers and operators of devices to securely enroll and update their devices," he explained. "We automate the enrollment of the devices by using the enrollment over secure transport (EST -- RFC 7030) standard that automates certificate management. Customers can now implement a secure credential in these IoT devices automatically within seconds, reducing many of the manual processes that companies go through, from minutes down to seconds. This will help companies to really scale IoT and to secure their devices."
TrustCenter also provides a secure update service. "It is really a platform that we provide, that sits on the customer's own metal or in their public or private cloud infrastructure." It automates secure device onboarding, enrollment and over-the-air (OTA) updates for IoT and ICS. Mission-critical systems used in aerospace, defense, industrial manufacturing, transportation, medical, and automotive can now automate the IoT security software integration process.
It enables, continued Caindec, "a software developer to make a change to firmware, sign the code and pass it on to the manufacturer. The manufacturer can sign it, and provide it to the owner of the device -- who can then sign it and implement it securely knowing that the device is going to be able to verify through MFA software on the device that the software developer and manufacturer and owner have all approved this update. Only then will it decrypt the software and install the update."
The new Mocana TrustCenter secures the device firmware supply chain, while the Mocana TrustPoint secures the device itself. By integrating the two, Mocana seeks to secure the complete IoT security lifecycle.
“Traditional IT and OT security approaches are not enough to defend against the sophisticated threats from hackers and state actors,” comments William Diotte, Mocana's CEO. “With escalating cyber-attacks on critical infrastructure and IoT, it’s imperative that industrial companies implement stronger controls in their automation and control equipment. Mocana TrustCenter and TrustPoint make it easier to implement strong security into devices by automating the lifecycle of cybersecurity for a device."
San Francisco, CA-based Mocana was founded in 2004, originally to provide security for devices in military equipment, from aircraft to tanks. Since then it has diversified and raised a total of $80.7 million in a series of relatively small funding rounds including $25 million series D funding in 2012. The most recent Series F funding for $11 million was announced in May 2017.